Galois field computation

ABSTRACT

A method and device for computing the multiplicative inverse of element x in Galois field GF(p 2m ) is proposed. In particular, when p is a prime number and m is an integer, the inverse may be constructed based on the observation that x p     m     +1  is en element in sub-field GF(p m ) and the inverse of x p     m     +1  can be carried out in the sub-field. The inverse of X may be obtained by multiplying x −1 =(x p     m     +1 ) −1  by x p     m   .

FIELD

The present invention relates to Galois field computations, and tomethods and devices for the computation of the inversions of Galoisfield elements.

BACKGROUND

A Galois field GF(n) is a set of elements that allows binary operations,such as addition and multiplication operations. Computations of Galoisfield elements are frequently seen in communication systems andencryption standards, such as encryption standards for wirelessapplications. For example, Wireless Local Area Networks (WLAN) may relyon the use of encryptions to ensure security of data transmittedwirelessly. One of the WLAN standard, IEEE 802.11i, incorporatesAdvanced Encryption Standard (AES) by the National Institute ofStandards and Technology (NIST), and the AES is based on Rijndael BlockCipher. In implementing the AES, Galois field is used for variouscomputations, which may consume a majority of hardware resources. Inparticular, computations of inversions in Galois field, such as GF(2⁸),is one of the primary factors in consuming hardware resources.

Conventional implementation uses a look-up table to store themultiplicative inverses for all 255 nonzero elements in GF(2⁸). Thisapproach is straightforward and has little latency, but requires a lotof logic gates, hence, a larger area in ASIC and higher powerconsumption. A well-known approach is to use the Extended EuclideanAlgorithm (EEA). For example, assuming the field GF(2⁸) is constitutedby some irreducible polynomial f(x) of degree eight. By theirreducibility of f(x), every nonzero element in GF(2⁸), whenrepresented in its polynomial form, such as p(x) is co-prime to f(x).That is, the greatest common divisor between f(x) and p(x) is one.

The EEA can then be used to find two polynomials q(x) and r(x) so thatp(x) q(x)+f(x) r(x)=1. Conducing modulo-reduction on both sides by f(x),one may obtain p(x) q(x)=1 mod(f(x)), and hence, q(x) is exactly themultiplicative inverse of p(x) in GF(2⁸). Generally, to findmultiplicative inverse in GF(2^(m)), the EEA requires 2m time steps andhas an area complexity of O(m). This method requires less hardware, butmay suffer from larger latency, which will not be suitable for ahigh-throughput system, such as a WLAN system.

An alternate approach includes performing the required computations inthe sub-field to reduce hardware complexity. Observing that the fieldGF(2⁴) is a sub-field of GF(2⁸), GF(2⁸) can be constructed by using someprimitive polynomial g(x)=x²+x+λ for some λ in GF(2⁴). In this approach,all computations are done in the sub-field GF(2⁴). To compute inv(x),the above algorithm requires 4 multiplications and one multiplicativeinversion in GF(16). Due to the complexity of the traditionaltechniques, there is a need for a technique for computing Galois fieldinversions that may bring simplicity in computation of hardware andsoftware implementations.

SUMMARY

An aspect of the invention includes a data encryption method. Theencryption method comprises the computation of the inverse of an elementx in Galois field GF(p^(2m)), wherein p is a prime number and m is aninteger. In one embodiment, the computation of the inverse comprises:computing x^(p) ^(m) ⁺¹; computing an inverse for x^(p) ^(m) ⁺¹ inGF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹; computing x^(p) ^(m) ; and multiplying(x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , to obtain the inverse of the elementx, x⁻¹.

Another aspect of the invention includes a data encryption device thatis configured to compute at least an inverse of an element x in Galoisfield GF(p^(2m)), wherein p is a prime number and m is an integer. Thedevice comprises: a first group of logic gates being configured tocompute x^(p) ^(m) ⁺¹; a second group of logic gates being configured tocompute an inverse for x^(p) ^(m) ⁺¹ in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹; athird group of logic gates being configured to compute x^(p) ^(m) ; anda fourth group of logic gates being configured to multiply (x^(p) ^(m)⁺¹)⁻¹ by x^(p) ^(m) , to obtain the inverse of the element x, x⁻¹.

Another aspect of the invention includes a method of computing aninverse of an element x in Galois field GF(p^(2m)), wherein p is a primenumber and m is an integer. In one embodiment, the method comprises:computing x^(p) ^(m) ⁺¹; computing an inverse for x^(p) ^(m) ⁺¹ inGF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹; computing x^(p) ^(m) ; and multiplying(x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , to obtain the inverse of the elementx, x⁻¹.

DESCRIPTION OF THE DRAWING

FIG. 1 is a schematic block diagram illustrating a device for computingthe inversion in GF(256) in embodiments consistent with the presentinvention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention relates to Galois field computations, includingthe computation of the inversions of Galois field elements, such asthose computations applicable to wireless local area network securityapplications. Embodiments consistent with the invention may providetechniques for computing the inversion of an element in Galois fieldthat may bring simplicity, efficiency, or both, in hardware or softwareimplementations. Furthermore, embodiments consistent with the inventionmay allow circuit size reduction, including substantial chip areareduction in hardware implementations, thereby allowing and benefitingapplications such as WLAN security applications.

To illustrate the computation in embodiments consistent with theinvention, we may use the computation in GF(256) as an example. To findthe multiplicative inverse in GF(256), we first look at the propertiesof GF(256) for any nonzero element x in GF(256), x⁽²⁵⁶⁻¹⁾=1. And for anyelement x in GF(256), x¹⁷ is in GF(16), a sub-field of GF(256), sincefor all nonzero elements, (x¹⁷)⁽¹⁶⁻¹⁾=1. Therefore, we may derive thefollowing equation:Inverse_(GF(256))(x)=x ¹⁶ x ⁻¹⁷ =x ¹⁶·Inverse_(GF16)(x ¹⁷).

The inversion of GF(256) can be greatly simplified by using the aboveobservation, which may be broken down into several steps of:

compute x¹⁷;

compute (x¹⁷)⁻¹;

compute x¹⁶; and

multiplication of x¹⁶ and (x¹⁷)⁻¹.

Each of these steps can also be systematically constructed using AND andXOR gates. FIG. 1 is a schematic block diagram for the inversion ofGF(256) according to an embodiment of the present invention. In FIG. 1,X is an element in GF(256) represented by 8-tuple (a7, a6, a5, a4, a3,a2, a1, a0). Block 20 takes X as input and produces as an output X¹⁶, inan 8-tuple form as (b7, b6, b5, b4, b3, b2, b1, b0). For example, block20 raises X to 16-th power, which only involves linear operation, soonly XOR gates are needed. In one example, one can generate analternative design using CAD tools by providing the input-outputrelation in equation or truth-table formats. Examples of details areexplained in below. For example:b ₀ =a ₀ +a ₄ +a ₅ +a ₆b₁=a₁b ₂ =a ₁ +a ₂ +a ₄ +a ₆ +a ₇b ₃ =a ₁ +a ₃ +a ₄ +a ₆ +a ₇b ₄ =a ₁ +a ₅ +a ₆b ₅ =a ₂ +a ₃ +a ₇b ₆ =a ₁ +a ₂ +a ₃ +a ₄ +a ₇b ₇ =a ₂ +a ₃ +a ₅

Block 40 takes X and produced X¹⁷, in another 8-tuple (c7, c6, c5, c4,c3, c2, c1, c0). Inverter 60 inverts X¹⁷ to X⁻¹⁷ in 8-tuple (d7, d6, d5,d4, d3, d2, d1, d0). Multiplier 80 multiplies X¹⁶ by X⁻¹⁷ to obtain X⁻,as (e7, e6, e5, e4, e3, e2, e1, e0). The following paragraphs willillustrate the operations with further detail.

We may use an irreducible polynomial x⁸+x⁴+x³+x¹+1 for the constructionof GF(256). All elements of GF(256) can then be represented as 8-tuple(a₇a₆a₅a₄a₃a₂a₁a₀), which may be equivalently represented by theresidual polynomial ₇x⁷+a₆x⁶+a₅x⁵+a₄x⁴+a₃x³+a₂x²+a₁x+a₀, where a_(i)=0or 1. In addition GF(256) is computed by adding polynomials, with eachcoefficient modulo 2, which is equivalent to bit-wise XOR's using an8-tuple representation. Multiplication in GF(256) is computed bymultiplying the polynomials with each coefficient modulo 2, and theresulting polynomial modulo is the irreducible polynomial x⁸+x⁴+x³+x¹+1.

It can be shown that element α=x+1 (denote the coefficient is indescending order as binary number b′00000011) is a primitive element inGF(256). For all discussions below, we will useα¹⁷=(b′00000011)¹⁷=b′11100001 as a primitive element in GF(16).

And the 16 elements of GF(16) are:

-   -   00000000    -   11100001 (=α¹⁷)    -   01011100 (=(α¹⁷)²)    -   00001100 (=(α¹⁷)³)    -   11100000 (=(α¹⁷)⁴)    -   10111101 (=(α¹⁷)⁵)    -   01010000 (=(α¹⁷)⁶)    -   11101100 (=(α¹⁷)⁷)    -   01011101 (=(α¹⁷)⁸)    -   11101101 (=(α¹⁷)⁹)    -   10111100 (=(α¹⁷)¹⁰)    -   10110001 (=(α¹⁷)¹¹)    -   10110000 (=(α¹⁷)¹²)    -   01010001 (=(α¹⁷)¹³)    -   00001101 (=(α¹⁷)¹⁴)    -   00000001 (=(α¹⁷)¹⁵)

Note these are in the representation of GF(256).

And we can find the four basis elements for GF(16) as follows:

-   -   00000001    -   00001100    -   01010000    -   11100000

Or, equivalently, one can represent the four basis elements inpolynomial form as follows:

-   -   1    -   x³+x²    -   x⁶+x⁴    -   x⁷+x⁶+x⁵

All 16 elements in GF(16) can be represented by linear combination ofthe above basis. And the linear combination can be respectivelyextracted by bits 1, 3, 5, 6, with the right-most bit as the first bit.For example:10110001=1·(00000001)+0·(00001100)+1·(01010000)+1·(11100000)

In the above example, the first basis element is multiplied by 1 (sincethe 1st bit for 01010001 is 1), the second basis element is multipliedby 0 (since the 3rd bit for 01010001 is 0), the third basis element ismultiplied by 1 (since the 5th bit for 01010001 is 1), and the fourthbasis element is multiplied by 1 (since the 6th bit for 01010001 is 1).

${{{Since}\mspace{14mu}\left( {\sum\limits_{i = 0}^{7}{a_{i}x^{i}}} \right)^{2}} = {\sum\limits_{i = 0}^{7}{a_{i}x^{2i}{{mod}\left( {x^{8} + x^{4} + x^{3} + x^{1} + 1} \right)}}}},$raising to the 2's power in GF(2⁸) is always a linear operation,computing x¹⁶ can be implemented with only XOR gates. Specifically, ifx=(a₇a₆a₅a₄a₃a₂a₁a₀), and x¹⁶=(b₇b₆b₅b₄b₃b₂b₁b₀), one may derive thefollowing relationships:b ₀ =a ₀ +a ₄ +a ₅ +a ₆b₁=a₁b ₂ =a ₁ +a ₂ +a ₄ +a ₆ +a ₇b ₃ =a ₁ +a ₃ +a ₄ +a ₆ +a ₇b ₄ =a ₁ +a ₅ +a ₆b ₅ =a ₂ +a ₃ +a ₇b ₆ =a ₁ +a ₂ +a ₃ +a ₄ +a ₇b ₇ =a ₂ +a ₃ +a ₅

Since x¹⁷=x¹⁶x, computing x¹⁷ is a quadratic function. If

${x^{17} = {{\left( {c_{7}c_{6}c_{5}c_{4}c_{3}c_{2}c_{1}c_{0}} \right)\left( {\sum\limits_{i = 0}^{7}{c_{i}x^{i}}} \right)} = {\left( {\sum\limits_{i = 0}^{7}{a_{i}x^{i}}} \right)\left( {\sum\limits_{i = 0}^{7}{b_{i}x^{i}}} \right)\mspace{14mu}{{mod}\left( {x^{8} + x^{4} + x^{3} + x^{1} + 1} \right)}}}},$

then, c_(i) will be in the form of:c_(i)=Σa_(j)b_(l), for i=0, 1, 2, . . . , 7.

As a result, b_(i)'s are linear functions in a_(j)'s, and f(x)=x¹⁷ canbe implemented using two-input AND gates to generate some intermediatefunctions, and XOR gates to generate the final (x¹⁷) function.Furthermore, because x¹⁷ is in GF(16), only c₀, c₂, c₄, c₅ need to becalculated. Since a_(i) is either 0 or 1, a_(i) ²=a_(i). A two-input ANDfunction with the two identical inputs becomes an “identity” functionwith one input. In addition to the eight “identity” functions, one caneasily find that there are only a total of 28 non-trivial “two-input”AND functions as follows:

-   -   f₁=a₁a₀    -   f₂=a₂a₀    -   f₃=a₂a₁    -   f₄=a₃a₀    -   f₅=a₃a₁    -   f₆=a₃a₂    -   f₇=a₄a₀    -   f₈=a₄a₁    -   f₉=a₄a₂    -   f₁₀=a₄a₃    -   f₁₁=a₅a₀    -   f₁₂=a₅a₁    -   f₁₃=a₅a₂    -   f₁₄=a₅a₃    -   f₁₅=a₅a₄    -   f₁₆=a₆a₀    -   f₁₇=a₆a₁    -   f₁₈=a₆a₂    -   f₁₉=a₆a₃    -   f₂₀=a₆a₄    -   f₂₁=a₆a₅    -   f₂₂=a₇a₀    -   f₂₃=a₇a₁    -   f₂₄=a₇a₂    -   f₂₅=a₇a₃    -   f₂₆=a₇a₄    -   f₂₇=a₇a₅    -   f₂₈=a₇a₆

And one can derive the following expressions for c0, c2, c4 and c5.c ₀ =a ₀ +a ₂ +a ₃ +a ₅ +a ₆ +f ₅ +f ₇ +f ₈ +f ₉ +f ₁₁ +f ₁₃ +f ₁₆ f ₁₈+f ₂₀ +f ₂₄ +f ₂₅ +f ₂₆ +f ₂₇c ₂ =a ₁ +a ₂ +a ₄ +a ₅ +a ₇ +f ₁ +f ₅ +f ₆ +f ₇ +f ₈ +f ₉ +f ₁₀ +f ₁₂+f ₁₃ +f ₁₆ +f ₂₀ +f ₂₁ +f ₂₂ +f ₂₃ +f ₂₅ +f ₂₆ +f ₂₇ +f ₂₈c ₄ =a ₁ +a ₂ +a ₄ +a ₅ +a ₇ +f ₁ +f ₃ +f ₇ +f ₁₀ +f ₁₁ +f ₁₅ +f ₁₆ +f₁₇ +f ₁₈ +f ₂₅ +f ₂₈c₅ =a ₁ +a ₂ +a ₄ +a ₅ +a ₇ +f ₂ +f ₃ +f ₄ +f ₆ +f ₉ +f ₁₁ +f ₁₃ +f ₁₄+f ₁₅ +f ₁₉ +f ₂₁ +f ₂₂ +f ₂₄ +f ₂₇

In this example, f₇, f₁₆ and f₂₅ contribute to all three output bits:c₀,c₂, and c₄. Furthermore, optimization can be performed using the CAD(Computer Aided Design) tools to minimize the number of gates and/ordelay for each block.

As for the inversion in GF(16) block, each of its 4 output bits is not aquadratic function of the 4 input bits. If the 4-bit representation ofx⁻¹⁷=(d₅d₄d₂d₀) and x¹⁷=(c₅c₄c₂c₀), then the inversion may be definedwith the following table:

Input(c₅c₄c₂c₀) Output (d₅d₄d₂d₀) 0001 0 0 0 1 0010 1 1 0 0 0011 0 1 0 00100 1 0 1 1 0101 1 1 0 0 0110 0 0 1 0 0111 0 1 1 0 1000 1 1 0 1 1001 11 1 1 1010 0 1 1 0 1011 1 0 0 1 1100 0 1 0 0 1101 1 0 0 0 1110 0 1 0 11111 1 1 0 1

Because it's a 4-bit-IN, 4-bit-OUT look-up table, computer-aided-design(CAD) tools may be used to design the circuit and optimize the circuitsize or delay by specifying the input or output truth table.

For the x¹⁶ times x⁻¹⁷, one may need to first convert the 4-bitrepresentation in GF(16) for x⁻¹⁷ to its equivalent 8-bit representationin GF(256). This may be a linear operation as explained below. In the4-bit representation of x⁻¹⁷=(d₅d₄d₂d₀), the four basis elements forGF(16) are:

-   -   00000001 (or equivalently, 1, in its polynomial form)    -   00001100 (or equivalently, x³+x², in its polynomial form)    -   01010000 (or equivalently, x⁶+x⁴, in its polynomial form)    -   11100000 (or equivalently, x⁷+x⁶+x⁵, in its polynomial form)

The polynomial representation for x⁻¹⁷ is:d ₅ x ⁷+(d ₅ +d ₄)x ⁶ +d ₅ x ⁵ +d ₄ x ⁴ +d ₂ x ³ +d ₂ x ² +d ₀ x ⁰

The multiplication of x⁻¹⁷ by x¹⁶, with x⁻¹⁶=(b₇b₆b₅b₄b₃b₂b₁b₀), may berepresented as:

$\left( {\sum\limits_{i = 0}^{7}{e_{i}x^{i}}} \right) = {\left( {{d_{5}x^{7}} + {\left( {d_{5} + d_{4}} \right)x^{6}} + {d_{5}x^{5}} + {d_{4}x^{4}} + {d_{2}x^{3}} + {d_{2}x^{2}} + {d_{0}x^{0}}} \right){\left( {\sum\limits_{i = 0}^{7}{b_{i}x^{i}}} \right) \cdot {{mod}\left( {x^{8} + x^{4} + x^{3} + x^{1} + 1} \right)}}}$

The coefficients e_(i), where i=0, 1, . . . 7, are quadratic functionsof b_(i) and d_(i). Therefore,e ₀ =d ₀ b ₀ +d ₂ b ₅ +d ₂ b ₆ +d ₄ b ₂ d ₄ b ₄ +d ₄ b ₆ +d ₄ b ₇ +d ₅ b₁ +d ₅ +b ₂ +d ₅ b ₃ +d ₅ b ₅e ₁ =d ₀ b ₁ +d ₂ b ₅ +d ₂ b ₇ +d ₄ b ₂ +d ₄ b ₃ +d ₄ b ₄ +d ₄ b ₅ +d ₄b ₆ +d ₅ b ₁ +d ₅ b ₄ +d ₅ b ₅ +d ₅ b ₆e ₂ =d ₀ b ₂ +d ₂ b ₀ +d ₂ b ₆ +d ₄ b ₃ +d ₄ b ₄ +d ₄ b ₅ +d ₄ b ₆ +d ₄b ₇ +d ₅ b ₂ +d ₅ b ₅ +d ₅ b ₆ +d ₅ b ₇e ₃ =d ₀ b ₃ +d ₂ b ₀ +d ₂ b ₁ +d ₂ b ₅ +d ₂ b ₆ +d ₂ b ₇ +d ₄ b ₂ +d ₄b ₅ +d ₅ b ₁ +d ₅ b ₂ +d ₅ b ₅ +d ₅ +b ₆ +d ₅ b ₇e ₄ =d ₀ b ₄ +d ₂ b ₁ +d ₂ b ₂ +d ₂ b ₅ +d ₂ b ₇ +d ₄ b ₀ +d ₄ b ₂ +d ₄b ₃ +d ₄ b ₄ +d ₄ b ₇ +d ₅ b ₁ +d ₅ b ₅ +d ₅ b ₆ +d ₅ b ₇e ₅ =d ₀ b ₅ +d ₂ b ₂ +d ₂ b ₃ +d ₂ b ₆ +d ₄ b ₁ +d ₄ b ₃ +d ₄ b ₄ +d ₄b ₅ +d ₅ b ₀ +d ₅ b ₂ +d ₅ b ₆ +d ₅ b ₇e ₆ =d ₀ b ₆ +d ₂ b ₃ +d ₂ b ₄ +d ₂ b ₇ +d ₄ b ₀ +d ₄ b ₂ +d ₄ b ₄ +d ₄b ₅ +d ₄ b ₆ +d ₅ b ₀ +d ₅ b ₁ +d ₅ b ₃ +d ₅ b ₇e ₇ =d ₀ b ₇ +d ₂ b ₄ +d ₂ b ₅ +d ₄ b ₁ +d ₄ b ₃ +d ₄ b ₅ +d ₄ b ₆ +d ₄b ₇ +d ₅ b ₀ +d ₅ b ₁ +d ₅ b ₂ +d ₅ b ₄

For the circuit design, the computer-aided-design (CAD) tool may be usedto optimize the design.

From the above discussion, the benefit of the invention may be achievedby breaking down the 8-bit-to-8-bit inverse function in GF(256) intoseveral blocks, such as the blocks illustrated in FIG. 1. Using thelinear property of the x¹⁶ function, the quadratic property of the x¹⁷function, and the 4-bit-to-4-bit operation in the reduced field (GF(16).For example, using the 0.18 μm process, the proposed implementation hass size of 494 ASIC gates in one embodiment, comparing with 713 ASICgates with a table look-up implementation. In one embodiment, one ASICgate is about 10 μm2 in area. Therefore, some embodiments consistentwith the invention may provide size reduction of 30%.

The multiplicative inversion in GF(256) noted above may be generalizedto the design for multiplicative inversion for any GF(p^(2m)), where pis a prime. For design purposes, raising to the p^(m)-th power inGF(p^(2m)) may be a linear operation on the (2m)-tuple representation ofthe element. Raising to the (p^(m)+1)-th power may also be implementedas a quadratic function. The field GF(p^(m)) is a subfield of GF(p^(2m))as m divides 2m. These properties can be used to break down and simplifythe design in computing the multiplicative inverse for any nonzeroelement in GF(p^(2m)). We now describe the procedure in detail below.

For any element x in GF(p^(2m)), x^(p) ⁺¹ is an element in the sub-fieldGF(p^(m)) since (x^((p) ^(m) ⁺¹⁾)^((p) ^(m) ⁻¹⁾=x^(p) ² ^(m−1)=1. Thecomputation of multiplicative inverse in GF(p^(2m)) can be broken downto the following 4 steps:

compute x^(p) ^(m) ⁺¹, which is a quadratic function,

compute the inverse for x^(p) ^(m) ⁺¹ in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹,

compute x^(p) ^(m) , which is a linear operation in GF(p^(2m)), and

multiply (x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , which is a quadraticfunction.

The foregoing disclosure of the preferred embodiments of the presentinvention has been presented for purposes of illustration anddescription. It is not intended to be exhaustive or to limit theinvention to the precise forms disclosed. Many variations andmodifications of the embodiments described herein will be apparent toone of ordinary skill in the art in light of the above disclosure. Thescope of the invention is to be defined only by the claims appendedhereto, and by their equivalents.

Further, in describing representative embodiments of the presentinvention, the specification may have presented the method or processconsistent with the present invention as a particular sequence of steps.However, to the extent that the method or process does not rely on theparticular order of steps set forth herein, the method or process shouldnot be limited to the particular sequence of steps described.

1. A data encryption device configured to compute at least an inverse ofnumerical data element x in Galois field GF(p^(2m)), wherein p is aprime number and m is an integer, the device comprising: a first groupof logic gates being configured to compute x^(p) ^(m) ⁺¹; a second groupof logic gates being configured to compute an inverse for x^(p) ^(m) ⁺¹in GF(p^(m)), (x^(p) ^(m) ⁺¹)⁻¹; a third group of logic gates beingconfigured to compute x^(p) ^(m) ; and a fourth group of logic gatesbeing configured to multiply (x^(p) ^(m) ⁺¹)⁻¹ by x^(p) ^(m) , to obtainthe inverse of the numerical data element x, x⁻¹.
 2. The device of claim1, wherein each of the first, second, third, and fourth groups of logicgates includes of a combination of AND gates and XOR gates.
 3. Thedevice of claim 1, wherein the first group of logic gates includes ofXOR gates and 2-input AND gates.
 4. The device of claim 1, wherein thesecond group of logic gates comprises logic gates designed by acomputer-aided-design tool.
 5. The device of claim 1, wherein the thirdgroup of logic gates includes of XOR gates.
 6. The device of claim 1,wherein the fourth group of logic gates includes of AND gates and XORgates.